CDRInfo Forum CDRInfo Forum

Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

Unpatched IE Flaw Is Worse Than Expected !   Logged in as: Guest
Viewers: 715 You can click here to see Today's Posts | Most Active Topics | Posts Since Last Visit
  Printable Version
All Forums >> [News Around The Web] >> Security News >> Unpatched IE Flaw Is Worse Than Expected ! Page: [1]
Message << Older Topic   Newer Topic >>
Unpatched IE Flaw Is Worse Than Expected ! - 11/29/2005 5:48:12 AM   

Posts: 12103
Joined: 7/4/2003
From: Melbourne, Victoria, AUS
Status: offline
Last week was shortened by the Thanksgiving holiday, and it seemed the malware guys took it off as well. There was not much going on of recent origin, and the biggest blip on the security radar was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared.

The realization caused Secunia to issue a rare "Extremely Critical" advisory. Once thought just to be a DoS vulnerability, it turns out that it also allows execution of arbitrary code.

Benjamin Tobias Franz figured out the original problem in March of this year, which can be summarized thusly: IE fails to correctly initialize the JavaScript "Window()" function, when used in conjunction with a event. This means that Internet Explorer encounters an exception when trying to call a dereferenced 32-bit address located in ECX.

If we execute the following code:


ECX will be populated by the Unicode representation of a text string named "OBJECT", which translates in hex to 0x006F005B. Because offset 0x006F005B points to an invalid (or non-existent) memory location, Internet Explorer fails to execute the next instruction in the stack and the user sees the application crash. This is why the problem was first classified as a Denial of Service.

Franz told Microsoft of the problem in March. Microsoft has done nothing to modify IE to reflect this information in the last six months. It may be because the risk of exploit was considered at the time to be "low".

And this is where things get more interesting.

S. Pearson, of, realized that the offset in the vulnerability had some specific properties, namely that the offset range is reserved for the facilitation of all opened Window characteristics on the desktop. These structures vary in both length and content, and usually will take the form of window titles, buttons, as well as the File/Edit/View menus bars that are attached to a specific Windows session.

Trying out various elements, he realized that a Javascript prompt box was of the right size and form to allow (by calling it a few times) the insertion of custom shellcode aligned to where the exception (when forced as shown in the preceeding paragraph) would end up (at 0x006F005B). That means a remote attacker can execute arbitrary code by using specific Javascript functions that were embedded into an otherwise normal looking Web page.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4. IE 5.x is also considered to be vulnerable.

A proof of concept page is available at to convince yourself that this does, indeed, work.

Since MS has not addressed this issue in IE, the only way to mitigate is to disable active scripting for non-trusted sites. Or don't use IE.

More turkey, anyone?

Source : SecurityIT Hub
Post #: 1
Page:   [1]
All Forums >> [News Around The Web] >> Security News >> Unpatched IE Flaw Is Worse Than Expected ! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI